Jump to content

Local Admin Additions

YossiC
 Share
Go to solution Solved by YossiC,

Recommended Posts

YossiC

YossiC 1

Posted
Posted

Hi guys,

I'm trying to catch additions to the Local Admin group when it is done via mmc.exe, or PowerShell by anyone.

The current rule "User added to Administrator group [F1000]" does not seem to trigger when it is done via mmc.exe.

The only rule that does trigger is the Critical rule when the operation is done via the net command.

 

  • ESET Staff
j91321

j91321 10

Posted
  • ESET Staff
Posted (edited)

Adding user through mmc.exe to local administrator group doesn't have effect on the F1000 functionality. It generates the same detection as any other method.

You do not see that it was done through mmc.exe because the User events are always tied to lsass.exe process.

image.png

Edited by j91321
YossiC

YossiC 1

Posted
  • Author
Posted (edited)
1 hour ago, j91321 said:

Adding user through mmc.exe to local administrator group doesn't have effect on the F1000 functionality. It generates the same detection as any other method.

You do not see that it was done through mmc.exe because the User events are always tied to lsass.exe process.

image.png

Hi,

Thank you for the reply. Yes, this is what I saw through ProcMon after posting this.

I have tried testing the rule on my endpoint but it does not trigger. I also checked there are no exclusions related to this, or Events related to lsass.exe with UserAddToGroup operation.

Edited by YossiC
  • ESET Staff
j91321

j91321 10

Posted
  • ESET Staff
Posted

Well I'd probably need the dump of Raw Events from the machine when you were testing it to investigate this further (ProcMon trace could also be helpful) and also logs from the EI Agent (C:\ProgramData\ESET\INSPECT Connector\Logs).

This event is generated through ETW channel and should be the same as the log you can see in the Windows Event Log (4735 I think). I would also try reinstalling the connector just to be sure, and also the usual stuff, make sure the connector is on the latest version and that the operating system version is supported.

YossiC

YossiC 1

Posted
  • Author
Posted
11 hours ago, j91321 said:

Well I'd probably need the dump of Raw Events from the machine when you were testing it to investigate this further (ProcMon trace could also be helpful) and also logs from the EI Agent (C:\ProgramData\ESET\INSPECT Connector\Logs).

This event is generated through ETW channel and should be the same as the log you can see in the Windows Event Log (4735 I think). I would also try reinstalling the connector just to be sure, and also the usual stuff, make sure the connector is on the latest version and that the operating system version is supported.

Can I send you this over PM?

Thanks.

  • Solution
YossiC

YossiC 1

Posted
  • Author
  • Solution
Posted

Seems the rule is depednant on "Audit Security Group Management". Events are being recorded only after this is enabled.

Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...